Add lambda and vpc modules

Co-authored-by: Ezequiel Bellver <ebellver@itba.edu.ar>

terraform/modules/lambda/main.tf

@@ -0,0 +1,25 @@
+# ------------------------------------------------------------------------------
+# Amazon Lambda
+# ------------------------------------------------------------------------------
+
+resource "aws_lambda_function" "this" {
+
+  filename      = var.lambda_info.filename
+  function_name = var.lambda_info.function_name
+  role          = var.iam_role_arn
+  handler       = var.lambda_info.handler
+  runtime       = var.runtime
+
+  tags = {
+    name = "lambda${var.lambda_info.function_name}"
+  }
+}
+
+resource "aws_lambda_permission" "this" {
+  statement_id  = "AllowExecutionFromAPIGateway"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.this.function_name
+  principal     = "apigateway.amazonaws.com"
+
+  source_arn = "${var.apigw_execution_arn}/*/${var.lambda_info.method}${var.lambda_info.path}"
+}

terraform/modules/lambda/outputs.tf

@@ -0,0 +1,9 @@
+output "invoke_arn" {
+  description = "The lambda function's invoke ARN"
+  value       = aws_lambda_function.this.invoke_arn
+}
+
+output "function_name" {
+  description = "The lambda function's name"
+  value       = aws_lambda_function.this.function_name
+}

terraform/modules/lambda/variables.tf

@@ -0,0 +1,44 @@
+# ------------------------------------------------------------------------
+# Amazon Lambda variables
+# ------------------------------------------------------------------------
+
+variable "account_id" {
+  type        = string
+  description = "The current Accound ID"
+}
+
+variable "local_path" {
+  type        = string
+  description = "Local path"
+}
+
+variable "lambda_info" {
+  type        = map(string)
+  description = "Contains all necesary lambda info"
+}
+
+variable "apigw_execution_arn" {
+  type        = string
+  description = "API GW execution ARN"
+}
+
+variable "subnet_ids" {
+  type        = list(any)
+  description = "The list of subnets created"
+}
+
+variable "sg_ids" {
+  type        = list(any)
+  description = "The list of subnets created"
+}
+
+variable "runtime" {
+  type        = string
+  description = "Lambda function runtime language"
+  default     = "python3.12"
+}
+
+variable "iam_role_arn" {
+  type        = string
+  description = "IAM role arn"
+}

terraform/modules/lambda/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0.6"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.10.0"
+    }
+  }
+}

terraform/modules/vpc/main.tf

@@ -0,0 +1,175 @@
+# module "vpc" {
+#   source = "terraform-aws-modules/vpc/aws"
+
+#   name = "my-vpc"
+#   cidr = "10.0.0.0/16"
+
+#   azs             = ["eu-west-1a", "eu-west-1b", "eu-west-1c"]
+#   private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+#   public_subnets  = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
+
+#   enable_nat_gateway = true
+#   enable_vpn_gateway = true
+
+#   tags = {
+#     Terraform = "true"
+#     Environment = "dev"
+#   }
+# }
+
+locals {
+  name   = "ex-${replace(basename(path.cwd), "_", "-")}"
+  region = "eu-west-1"
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-vpc"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "terraform-aws-modules/vpc/aws"
+
+  name = local.name
+  cidr = "10.0.0.0/16"
+
+  azs                 = ["${local.region}a", "${local.region}b"]
+  private_subnets     = ["10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets      = ["10.0.3.0/24", "10.0.4.0/24"]
+
+  create_database_subnet_group = false
+
+  manage_default_network_acl = true
+  default_network_acl_tags   = { Name = "${local.name}-default" }
+
+  manage_default_route_table = true
+  default_route_table_tags   = { Name = "${local.name}-default" }
+
+  manage_default_security_group = true
+  default_security_group_tags   = { Name = "${local.name}-default" }
+
+  enable_dns_hostnames = true
+  enable_dns_support   = true
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  # enable_vpn_gateway = false
+
+  # enable_dhcp_options = false
+
+  # enable_flow_log                      = true
+  # create_flow_log_cloudwatch_log_group = true
+  # create_flow_log_cloudwatch_iam_role  = true
+  # flow_log_max_aggregation_interval    = 60
+
+  tags = local.tags
+}
+
+module "vpc_endpoints" {
+  source = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+
+  vpc_id             = module.vpc.vpc_id
+  security_group_ids = [data.aws_security_group.default.id]
+
+  endpoints = {
+    dynamodb = {
+      service         = "dynamodb"
+      service_type    = "Gateway"
+      route_table_ids = flatten([module.vpc.intra_route_table_ids, module.vpc.private_route_table_ids, module.vpc.public_route_table_ids])
+      policy          = data.aws_iam_policy_document.dynamodb_endpoint_policy.json
+      tags            = { Name = "dynamodb-vpc-endpoint" }
+    },
+    lambda = {
+      service             = "lambda"
+      private_dns_enabled = true
+      subnet_ids          = module.vpc.private_subnets
+    },
+    ses = {
+      service    = "ses"
+      subnet_ids = ["subnet-12345678", "subnet-87654321"]
+      tags       = { Name = "ses-vpc-endpoint" }
+    },
+  }
+
+  tags = merge(local.tags, {
+    Project  = "Secret"
+    Endpoint = "true"
+  })
+}
+
+module "vpc_endpoints_nocreate" {
+  source = "../../modules/vpc-endpoints"
+
+  create = false
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+data "aws_security_group" "default" {
+  name   = "default"
+  vpc_id = module.vpc.vpc_id
+}
+
+data "aws_iam_policy_document" "dynamodb_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["dynamodb:*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:sourceVpce"
+
+      values = [module.vpc.vpc_id]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "generic_endpoint_policy" {
+  statement {
+    effect    = "Deny"
+    actions   = ["*"]
+    resources = ["*"]
+
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+
+    condition {
+      test     = "StringNotEquals"
+      variable = "aws:SourceVpc"
+
+      values = [module.vpc.vpc_id]
+    }
+  }
+}
+
+resource "aws_security_group" "vpc_tls" {
+  name_prefix = "${local.name}-vpc_tls"
+  description = "Allow TLS inbound traffic"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    description = "TLS from VPC"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  tags = local.tags
+}